As mentioned in the Editorial Board teleconference on Tuesday, we will be actively working to resolve the CVE ID syntax change over the next couple months.

The basic steps will be:

1) MITRE will review existing Board feedback and perform a “down-select” of ID schemes to consider, with no more than 3 options. We intend to do this early next week.

2) After the down-select, we will engage the public to get their feedback on the choices. This will take the form of posts to some security mailing lists, our CVE-Announce mailing list, and direct emails to CNAs and CVE-compatible vendors.
The public feedback period will begin soon after the down-select.

3) After a period of public feedback – probably no less than 2 weeks, possibly more – MITRE will have another round of internal discussions to process the feedback and come up with recommendations.

4) We will then have a formal Editorial Board vote. We have not yet decided on the mechanics of the vote (e.g., whether to select a single scheme and have the Board vote yes/no, or to do something more complex). However, the rule of “one
vote per organization” will apply.

5) After the vote, the final ID scheme will be selected.

Since RSA will be a great opportunity to engage the public and get direct feedback, we might delay the formal vote and final decision until after then. However, we have not decided yet.